PSA Insurance and Financial Serviceshttps://www.psafinancial.com
Tue, 15 Aug 2017 14:19:49 +0000en-UShourly1PsaPerspectivehttps://feedburner.google.comGame of Stones: Examining the Foundational Elements of Effective Negotiationhttp://feedproxy.google.com/~r/PsaPerspective/~3/oPqfpcFJkos/
https://www.psafinancial.com/2017/08/game-stones-examining-foundational-elements-effective-negotiation/#respondThu, 10 Aug 2017 17:28:51 +0000https://www.psafinancial.com/?p=8956According to Mark Jankowski, founder of Amplified Learning, effective negotiation requires three things: attitude, tools, and skills. “You can have any one, or even two of those things, but if you don’t put them all together, you won’t be effective,” he said at a recent PSA Partnership Event, “Game of Stones.” Where did he first […]

“You can have any one, or even two of those things, but if you don’t put them all together, you won’t be effective,” he said at a recent PSA Partnership Event, “Game of Stones.”

Where did he first learn this lesson? Ten thousand feet in the air, as he was jumping out of a plane.

He told the story of when he went skydiving with a group of friends. “They taught you five basic things: how to let go of the wing, how to arch your back while you were falling, how to pull the rip cord, how to untangle your lines, and how to land,” he explained. “And they had you practice these things over and over.”

And that practice came in handy when Jankowski’s lines did get tangled. Fortunately, with the right attitude, tools, and skills, he was able to fix the lines and land successfully. Here’s how that lesson applies to successful business negotiation.

Attitude

According to Jankowski, attitude is a vital element in the negotiation process. To demonstrate his point, he showed a video clip from the TV show Mad Men. In the clip, ad executive Don Draper believed in his value proposition so strongly, he was willing to walk away from a potential deal rather than compromise.

“When I talk about ‘attitude,’ what I really want to talk about is value propositions,” Jankowski explained. “Do you believe enough in what you’re doing and how you’re doing it to sell with confidence?”

If you don’t, it might be time to reexamine your value proposition. Often, Jankowski said, companies don’t communicate their mission and value in a way that appeals to what customers truly care about. For example, Sherwin Williams once explained its value proposition as, “2,000 stores to serve you better.”

But really, it wasn’t the number of stores that delivered value to the customers. Other paint suppliers delivered paint directly to construction sites, which often led to waste — paint would spoil, settle, or get stolen. The true benefit of Sherwin Williams stores is that they serve as inventory centers, where paint can be stored until customers actually need it. Once the company realized that, its value proposition became: “Local inventory centers providing just-in-time delivery to help you manage costs by reducing theft, spoilage, and over-ordering.” That was what spoke to their customers.

Now, apply that lesson to your company. “Write down your value proposition as it currently exists today,” recommended Jankowski. “Evaluate it, and think about if it really captures the essence of what your customers want, as well as that Don Draper-type attitude.”

However, Jankowski warned, attitude isn’t enough on its own. You must also have the right tools.

Tools

Jankowski explained that companies often do post-mortems (i.e., analyzing lost opportunities to determine what went wrong), but few do pre-mortems.

“Pretend it’s the day after you lost the deal,” Jankowski explained. “Discuss what caused you to lose the deal.” You can likely foresee the issues that will come your way, whether it’s your prices, products, processes, or people.

Then, Jankowski suggested working through a negotiation planning worksheet, which included the following elements:

Leverage: Think about what gives you power within the scope of a particular negotiation. Are you the best available solution? That certainly drives power. Are you the incumbent vendor? That gives you leverage because the costs of switching can be high. Is there an internal champion at the company that’s pulling for you? When you start to think through these options, you may discover you have more power than you think.

Alternatives: Before you enter a negotiation, you should think about the best- and worst-case scenarios. What is your highest goal? What is your walk-away point? And to get to a favorable agreement, what are the things you’d be willing to trade (e.g., would you agree to fewer years in a contract in exchange for a higher price?)?

Network: Who’s involved in the sale? On average, 5.4 decision makers are involved in complex sales. To prepare for negotiation, you should identify those influencers and determine if they are supporters, blockers, or neutral.

Frame: What is the negotiation truly about? In the Sherwin Williams example above, the company had to realize it wasn’t about the stores, it was about the inventory. They reframed the challenge. “When you change the frame, you change the game,” Jankowski said.

Working through these exercises will help you see the complete picture of the negotiation before it even happens — setting you up for a better chance at success. Of course, when you come to the actual negotiation, you’ll also need the skills to close the deal.

Skills

“You can have the confidence, you can have the preparation, but if you don’t have the skills, you won’t be effective when you get in there,” said Jankowski.

In particular, Jankowski recommends you learn how to ask effective questions. “The best negotiators are genuinely curious,” he said. “You should be asking, ‘What is important to you?’ But don’t stop there — then ask ‘What else is important to you? What else? What else?’ You want to get everything on the table before you begin negotiating, so you can tailor your offer accordingly.”

Another effective tactic is answering a question with a question. “When someone asks a question, they have a thought behind that question,” Jankowski explained. He gave an example: Once, he was negotiating with a potential client and he was asked, “What other gas companies do you work with?”

Rather than immediately providing an answer, Jankowski asked, “Why is that important to you?” It turned out, the client wasn’t looking for someone who worked for his competition; he wanted to make sure that Jankowski would only dedicate his expertise to his gas company. That response influenced the way Jankowski answered the question and ultimately helped him land the deal.

With attitude, tools, and skills, you’ll be able to expertly handle any negotiation. Learn more about Jankowski and negotiation training at Amplified Learning. Also, make sure to attend our next PSA Partnership event, “Survive an Active Shooting,” on September 26.

Information contained herein is generic in nature and provided by sources believed to be reliable. It is for informational purposes only and is not guaranteed as to accuracy, may not reflect our current opinion, and is not intended to replace the advice of a qualified professional. All rights reserved. No reproduction in whole or in part is permitted without the express written consent of PSA. PSA Insurance & Financial Services, its affiliates and employees are not responsible for the content of other web or social networking sites. PSA Financial Advisors, Inc. is a Registered Investment Advisory firm located at 11311 McCormick Road, Hunt Valley, MD 21031, and may only transact business in those states in which they are registered or exempted from registration. Contact our office at 410 821-7766. To protect your privacy, do not send personal information via the internet.

]]>https://www.psafinancial.com/2017/08/game-stones-examining-foundational-elements-effective-negotiation/feed/0https://www.psafinancial.com/2017/08/game-stones-examining-foundational-elements-effective-negotiation/Don’t let interview bias and other missteps lead to a bad hirehttp://feedproxy.google.com/~r/PsaPerspective/~3/5udbhu7ybUo/
https://www.psafinancial.com/2017/08/dont-let-interview-bias-missteps-lead-bad-hire/#respondThu, 03 Aug 2017 17:57:24 +0000https://www.psafinancial.com/?p=8946When you are recruiting for an open position at your company, you want to hire someone who will succeed in the role. But that’s not always what actually happens. Often, interviewers are drawn to the people they relate to or simply like the most, rather than the candidates who are the most qualified. While that […]

]]>When you are recruiting for an open position at your company, you want to hire someone who will succeed in the role. But that’s not always what actually happens. Often, interviewers are drawn to the people they relate to or simply like the most, rather than the candidates who are the most qualified.

While that can help foster workplace friendships and build a close-knit culture, it doesn’t always result in successful performance.

That’s why it’s important to look at your candidates from all angles. Here are nine things to consider during and after an interview to help form an accurate assessment of each candidate and determine if he or she is right for the position.

Be aware of your bias

In a University of Toledo study, researchers found that the judgments made in the first 10 seconds of an interview could predict the outcome of that interview. Why? Once an interviewer forms a first impression, he or she spends 99.4 percent of the rest of the time trying to confirm that initial impression.

Basically, if you like the candidate from the beginning, you’ll look for more reasons to like them. If you’re put off by the candidate in your initial encounter, you’ll look for reasons to reject them.

Knowing this, it’s important to be aware of your bias and keep an open mind — throughout the entire interview.

Detailed, specific answers

During an interview, the applicant should do most of the talking. Try to follow the 80/20 rule — that is, the candidate should do 80 percent of the talking, while the interviewer fills in the remaining 20 percent.

Be on the lookout for answers that seem too broad or general. If the candidate can’t provide adequate details and examples, they might not actually have the experience the role requires. The more specific the answer, the better. (And if the candidate doesn’t offer up a specific answer at first, don’t immediately speak up — silence can encourage the candidate to elaborate.)

If possible, don’t just rely on candidates’ answers to interview questions; give them an exercise to test their skills. A work sample test — something similar to what they would do on the job — is a good predictor of how someone will perform in a job.

To give you an idea of how important it is, consider this: The number of years of work experience only explains 3 percent of an employee’s performance, while a work sample test explains 29 percent.

You can develop an assessment on your own (for example, asking a project manager candidate to put together a sample project proposal), or use an employment test from a reputable company.

Body language

Don’t only focus on the words coming out of the candidate’s mouth. Make sure you also watch their body language. Some HR experts say that body language accounts for 93 percent of messages candidates express during an interview — while verbal communication only accounts for 7 percent.

It’s common for interviewees to be nervous, but if you see any signs of extreme discomfort — for example, if they can’t maintain eye contact or smile, which are the two leading faux pas job seekers make during an interview — you’ll have to decide if that nervousness may impact the candidate on the job. For example, they may not be right for a role that involves significant client interaction or public speaking.

There are several other telltale signs to look out for, as well. For example, some say that if a candidate keeps touching their nose, they may not be telling the truth. Or, if they keep crossing their arms, they may be defensive or hiding something. While there’s no defined dictionary for body language, small gestures can have a deeper meaning.

Outside opinions, multiple interviews

Gathering multiple opinions from other people in your office can be key to selecting the right candidate. For example, your receptionist will get the very first impression of your candidate when they walk in the door — and that can be a great way to gain more insight into the interviewee’s true character. Did the candidate warmly greet the receptionist? Treat them like a subordinate? Ignore them completely?

Along the same lines, some companies also choose to have someone from another department join the interview — for example, asking someone from the legal team to interview a prospective sales hire. Or, if the candidate is applying to become a manager, you might have them meet with their prospective direct reports, since that’s who they’ll be spending most of their time with. (Plus, allowing the candidate to meet potential co-workers and other team members can help get them excited about the role and give them another reason to want to join your team!)

To get an accurate assessment of a candidate, it’s also a good practice to bring them back in for additional interviews scheduled for a different day. Anyone can have one great day. But it is hard to be someone, they are not in multiple rounds of conversations.

Preferred work and communication style

A business with 100 employees spends an average downtime of 17 hours a week clarifying communication — which translates to an annual cost of $528,443 per business. That’s why it’s so important to identify your candidate’s preferred work and communication styles.

How does the candidate prefer to communicate? Sixty percent of people over age 55 prefer face-to-face communication — and while the number isn’t much lower for employees age 25 to 34 (55 percent), the younger age group does prefer email/text communication more than the older group (35 percent vs. 28 percent).

Does the candidate prefer solo work or a lot of collaboration? Does the applicant prefer to write out a detailed game plan before acting or jump right into execution? Does the candidate have a direct or passive communication style? Digging into these questions can help you identify employees that will be the best fit in your culture and help your teams work most effectively. (Or, you can provide them with a free communication style assessment or personality/behavior test, such as DISC, to see if they would be compatible with your team.)

The airport test

You can only get so much information from traditional interview questions like, “Tell me about a time you failed.” In the end, you also have to get a feel for how the candidate may interact with the rest of your team and your clients. That’s where the airport test comes in. Simply ask yourself: Would you want to be stuck in an airport with this person?

In other words, can you hold a pleasant conversation with the candidate? Would they be able to chat with a client over a meal? Does their personality mesh with the rest of the team?

To assess this, you can’t skip the small talk. It’s OK to ask questions that aren’t relevant to the job qualifications, as long as you remain professional, and you are aware of your potential bias, discussed above. For example, you could ask a question related to their areas of interests, accomplishments, affiliations with honor societies or something else that was listed on their resume. Alternatively, if they casually mention something about them going to see a game over the weekend, or drop off their children at a birthday party, you could engage in the conversation. Just remember to stay away from questions that could be interpreted as discriminatory — for instance, topics that could reveal sensitive information about their race, marital status, age or sexual orientation.

Gut instinct

When it comes to using your gut, you shouldn’t solely rely on your intuition to decide to hire someone (that decision should be based on solid evidence from your interviews) — however, it can be useful to decide when not to hire someone. If some interviewers who met the candidate have the gut instinct that the person is wrong for the organization or role, you might want to think twice. However, be careful that your gut instinct isn’t based on any protected characteristics (e.g., race, sex, age, marital status).

Candidate questions

Your interview should be a two-way street. At the end of the interview, you’ll probably ask, “Do you have any questions for me?” And you probably won’t be too impressed with questions like, “What hours would I be working?” or “How much is the salary?” (or worse, “I don’t have any questions.”)

The best candidates are the ones who take initiative to develop questions that show they’re actually interested in the company and care about getting the job — like “How does your company live up to its core values?” or “What would you expect me to accomplish in the first 30, 60, or 90 days on the job?”

By following these recommendations, you’ll be better equipped to evaluate your interviewees and make a smart hiring decision. For additional assistance in developing the right interview questions to identify the best candidates for your business, read Looking for top talent? Employers need to nail the interview, and download our sample interview questions below. If you need more assistance with hiring, contact me at rsinger@psafinancial.com.

]]>https://www.psafinancial.com/2017/08/dont-let-interview-bias-missteps-lead-bad-hire/feed/0https://www.psafinancial.com/2017/08/dont-let-interview-bias-missteps-lead-bad-hire/HIPAA and the Cloud (Benefit Minute)http://feedproxy.google.com/~r/PsaPerspective/~3/U4c1s32WplU/
https://www.psafinancial.com/2017/07/hipaa-cloud-benefit-minute/#respondThu, 27 Jul 2017 13:41:33 +0000https://www.psafinancial.com/?p=8934Cloud computing allows convenient on-demand network access to a shared pool of computing resources (such as networks, servers, storage and applications) that can be rapidly supplied and used with minimal management effort or service provider interaction. The computing resources are pooled to serve multiple customers and can be scaled to meet changes in demand. There […]

]]>Cloud computing allows convenient on-demand network access to a shared pool of computing resources (such as networks, servers, storage and applications) that can be rapidly supplied and used with minimal management effort or service provider interaction. The computing resources are pooled to serve multiple customers and can be scaled to meet changes in demand.

There are a variety of cloud models, including:

Private cloud – exclusive use by a single organization.

Community cloud – use by a community of customers that have shared concerns (including security requirements and compliance considerations).

Public cloud – open use by the general public.

Hybrid cloud – use by two or more distinct cloud models that remain unique entities but are bound together by standardized or proprietary technology.

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA’s privacy, security and breach notification rules require safeguards for protected health information (PHI) that is created, received, maintained or transmitted by a covered entity (including a health insurer or group health plan) or a business associate.

The implementation of file sharing and collaboration tools, including tools that use cloud technology, introduce additional risks to the privacy and security of electronic PHI (ePHI). For example, access, authentication, encryption and other security controls may be disabled or left with default settings when transferred to or stored in the cloud, which can lead to unauthorized access to or disclosure of sensitive data.

Use of cloud service providers has also raised questions about whether these entities are HIPAA business associates when the cloud is used to create, receive, maintain or transmit ePHI.

HHS Guidance

In response to these questions, the Department of Health and Human Services (HHS) has provided guidance on this topic. The guidance clarifies:

A cloud service provider will be a business associate if creating, receiving, maintaining, or transmitting ePHI on behalf of a covered entity or another business associate. Therefore a HIPAA-compliant business associate agreement must be in place. The business associate agreement will contractually require the cloud service provider to implement the requirements of the security rule and appropriately safeguard the ePHI.

The covered entity or business associate using the cloud service provider must have a complete understanding of the cloud computing environment and conduct its own risk analysis to identify the potential threats and exposures to the confidentiality, integrity and availability of the ePHI. While any cloud model may be used, the model selected may impact the risk analysis and the risk management policies that are developed as a result of the risk analysis.

Even if a cloud service provider stores only encrypted ePHI and does not hold the decryption key (meaning that the cloud service provider cannot view the information), the cloud service provider is still a business associate because such protections alone cannot adequately safeguard the ePHI or meet all of the requirements of the security rule.

If a cloud service provider experiences a security incident involving ePHI or a breach of unsecured ePHI, there is a requirement to report this to the covered entity or other business associate in accordance with the security rule. Even if encryption is in place, a breach may occur if the encryption is not at the level that meets HIPAA standards or if the decryption key was also breached.

A covered entity or business associate may use a cloud service provider that stores ePHI on servers located outside of the United States as long as the requirements of the security rule are met. However, the risk analysis and risk management policies should address any additional threats or exposures that may exist, especially if the ePHI is maintained in a country where there are documented increased attempts at hacking or other malware attacks.

Risk Analysis Tool

The risks associated with use of cloud services re-enforce the importance of the risk analysis process, which is the first step in identifying and implementing safeguards to protect the confidentiality, integrity and availability of ePHI. The security rule includes an express requirement to complete this process.

HHS has developed an interactive security risk assessment tool to assist with the process that is downloadable for free. The tool asks specific questions about the activities of the covered entity or business associate and, based on the answers, provides guidance with respect to corrective action that should be taken for each item. While use of the tool is not required (and compliance is not guaranteed), it does provide a framework for performing a risk analysis.

Disclosure Information
Information contained herein is generic in nature and provided by sources believed to be reliable. It is for informational purposes only and is not guaranteed as to accuracy, may not reflect our current opinion, and is not intended to replace the advice of a qualified professional. All rights reserved. No reproduction in whole or in part is permitted without the express written consent of PSA. PSA Insurance & Financial Services, its affiliates and employees are not responsible for the content of other web or social networking sites. PSA Financial Advisors, Inc. is a Registered Investment Advisory firm located at 11311 McCormick Road, Hunt Valley, MD 21031, and may only transact business in those states in which they are registered or exempted from registration. Contact our office at 410 821-7766. To protect your privacy, do not send personal information via the internet.

]]>https://www.psafinancial.com/2017/07/hipaa-cloud-benefit-minute/feed/0https://www.psafinancial.com/2017/07/hipaa-cloud-benefit-minute/A Snapshot of Today’s Most Prevalent Cyber Threats for the Non-Technical Executive, Part 2http://feedproxy.google.com/~r/PsaPerspective/~3/tTjsEwJj92E/
https://www.psafinancial.com/2017/07/snapshot-todays-prevalent-cyber-threats-non-technical-executive-part-2/#respondThu, 20 Jul 2017 18:24:01 +0000https://www.psafinancial.com/?p=8924In a recent blog post, we shared two prevalent cyber risks that your organization should be aware of — phishing and malware. Of course, those aren’t the only two threats you face when using technology or handling electronic data. This blog post provides an overview of two additional cyber threats to help you build a […]

]]>In a recent blog post, we shared two prevalent cyber risks that your organization should be aware of — phishing and malware. Of course, those aren’t the only two threats you face when using technology or handling electronic data. This blog post provides an overview of two additional cyber threats to help you build a foundational awareness of some of the most common threats and make informed decisions about operating securely in today’s interconnected environment. Botnets and Distributed Denial of Service Attacks (DDOS)

A common technique of hackers is to create Botnets by infecting a network of computers or internet connected devices with a type of malware, which commands and controls infected Internet of Things (IoT) devices. Most internet-connected devices can become Botnets, including desktop computers, laptops, security cameras, DVRs, routers, refrigerators, video game systems and other networked technology.

Once a malicious actor builds a Botnet of a significant size, they direct massive amounts of internet traffic at target websites and servers, which can prevent customers, employees, businesses, or other groups from accessing those online resources. This can lead to harmful business interruption if the targeted service is integral to the operations of the organization. This technique is known as Distributed Denial of Service (DDoS).

In a recent DDoS, an attack on a Domain Name Service provider led to service interruption for secondary victims ­— popular sites including Amazon, Netflix, Pinterest, Twitter, and PayPal, just to name a few. This attack was far more effective than targeting each site individually.

What is most interesting and has the greatest implications for security is that this attack used malware that scanned the internet and automatically infected poorly secured devices to build a Botnet, without ever involving humans. Ultimately, the cybercriminals were able to build a network of over 100,000 IoT devices to carry out the attack. This virus is unique because it used machine learning to compromise devices that were not considered a priority to secure, such as DVRs, routers and security cameras.

This example shows that even businesses not directly targeted can be impacted by cyberattacks. If your organization uses third-party vendors to host data or a website, provide services to clients or any other number of applications, your organization is open to cyber risks — even when you are not the intended target of a cyberattack.

Why You Should Care: If you rely on websites, cloud services, or other web-based technology to run your operations, you could be impacted by a DDoS attack. If you choose to work with a vendor to host your site or rely on third party applications that you access through the web, make sure you ask what DDoS mitigation strategies they have in place. To minimize the risk of your technology becoming part of a Botnet, it is also important to use updated versions of software, implement security patches for the technology you use and keep your anti-virus and malware defenses up to date.

Insider Threat and the Human Factor

Another aspect of cybersecurity that is difficult to control is the interaction between humans and technology. In some cases, the technology is extremely secure from a digital perspective, but compromises or data breaches still occur due to the actions of a malicious insider or simple mistakes of well-meaning employees.

For instance, a disgruntled or financially motivated employee, with authorized access to your organization’s systems and data, can abuse their privileges in order to leak sensitive information, steal data or expose your organization to a cyberattack. One very common example of malicious insider activity is “Departing Employee Data Theft,” where a departing employee steals and passes information to their next employer. Another well-known example of an insider using privileged access is the former National Security Agency (NSA) contractor Edward Snowden that leaked thousands of classified NSA documents.

Well-meaning employees can also present a cyber threat by making simple mistakes, losing a device, sending confidential files to the wrong email address, or falling for a phishing email – all of which can expose your organization’s network.

Why You Should Care: If you have employees and use technology, this is a risk you must consider and address. Employees need access to technology, data, and confidential information to do their jobs. Yet, if passwords, data, privileged access, or other sensitive information falls into the wrong hands, it could be disastrous for your business. Success requires a holistic strategy driven by leadership that integrates people, process, and technology. In addition to strong defenses and early detection, organizations should also focus on strategies that help them respond and recover from a cyber incident caused by an insider.

Armed with information about the likely threats facing your organization and a good understanding of the possible vulnerabilities in your technology, workforce and processes, you can assess the impact of a cyber incident and determine how to secure your operation.

Make sure to read the upcoming posts of this series to learn how your organization can continue along the path of improving enterprise risk resiliency. If you have any questions or for more information contact me at mvolk@psafinancial.com.

Disclosure Information
Information contained herein is generic in nature and provided by sources believed to be reliable. It is for informational purposes only and is not guaranteed as to accuracy, may not reflect our current opinion, and is not intended to replace the advice of a qualified professional. All rights reserved. No reproduction in whole or in part is permitted without the express written consent of PSA. PSA Insurance & Financial Services, its affiliates and employees are not responsible for the content of other web or social networking sites. PSA Financial Advisors, Inc. is a Registered Investment Advisory firm located at 11311 McCormick Road, Hunt Valley, MD 21031, and may only transact business in those states in which they are registered or exempted from registration. Contact our office at 410 821-7766. To protect your privacy, do not send personal information via the internet.

]]>https://www.psafinancial.com/2017/07/snapshot-todays-prevalent-cyber-threats-non-technical-executive-part-2/feed/0https://www.psafinancial.com/2017/07/snapshot-todays-prevalent-cyber-threats-non-technical-executive-part-2/A Snapshot of Today’s Most Prevalent Cyber Threats for the Non-Technical Executive, Part 1http://feedproxy.google.com/~r/PsaPerspective/~3/t43mkHNq_Lw/
https://www.psafinancial.com/2017/07/snapshot-todays-prevalent-cyber-threats-non-technical-executive-part-1/#respondWed, 12 Jul 2017 13:19:14 +0000https://www.psafinancial.com/?p=8918Keeping up with the ever-changing cyber threat landscape is essential for making smart decisions about cyber risk management. For many leaders, combing through the constant stream of information can be challenging and time consuming. A good approach to sort through the intimidating amount of information is to set a simple, achievable goal of dedicating time […]

]]>Keeping up with the ever-changing cyber threat landscape is essential for making smart decisions about cyber risk management. For many leaders, combing through the constant stream of information can be challenging and time consuming. A good approach to sort through the intimidating amount of information is to set a simple, achievable goal of dedicating time each week to read notable cybersecurity headlines. The goal is not to become a cybersecurity expert, but to build a general knowledge base and awareness of current issues that can inform decisions and help determine the cybersecurity strategy for the organization.

To help you start this process, I will review four of the most prevalent cyber threats all leaders should be aware of in today’s environment. The top two threats are discussed below, while the next two will be covered in my upcoming blog post. This is not exhaustive, but is a good start to help you develop a baseline level of awareness for continued reading and analysis.

Social Engineering and Phishing
Social engineering is a non-technical method designed to trick unsuspecting individuals into sharing or granting access to information that malicious actors can use to start or expand an attack.

Phishing and spear-phishing are social engineering attacks that use email as the delivery mechanism. You might be thinking, “these are not emerging exposures – they have been around for a while.” Yes, but the attacks are becoming highly sophisticated, and it is increasingly more difficult to tell a malicious and a legitimate email apart. These are among the most common attack techniques because they are easy to deploy against any organization that uses email. These attacks are designed to look like legitimate emails to trick a user into clicking on a link, downloading an attachment, or sharing personal or confidential information. Phishing emails are generally more generic and sent to a large pool of victims. Spear-phishing emails require more research by the attacker and are crafted for specific individuals or a smaller group of victims.

Some of the most prevalent low-tech phishing attacks today are wire funds transfer fraud and W-2 scams. Neither scam involves hacking, malicious code, or any other advanced technique. They are simply designed to prey on well-meaning but unsuspecting employees.

Wire funds transfer fraud occurs when a cybercriminal sends an email impersonating an executive to a targeted group of employees requesting funds to be transferred into a specified account. The emails look legitimate and unsuspecting employees make the transfer because they want to be responsive to their leadership. Once the funds are transferred, they are often very difficult to recover and there are few options to pursue if the organization does not have the proper insurance in place.

W-2 scams follow a similar pattern, where an attacker sends fraudulent emails impersonating an executive and asks employees to send W-2 information for tax purposes. The result is a data breach that can compromise personally identifiable information of every employee of the organization.

Why You Should Care: Cybersecurity technology today is very effective. However, these tools can’t change your employees’ behavior or guarantee they won’t be deceived by social engineering or phishing attacks. Instead, a holistic approach driven by leadership is required.

Malware

Malware is computer code written by cybercriminals to exploit known vulnerabilities in common software and computer applications. The purpose of malware is to enable an attacker to disrupt systems, destroy data, export information, and collect information about activities and users. Infections can occur when a user goes to a compromised website, downloads an infected attachment, or when a hacker gains access and installs code, as well as countless other possibilities.

Crimeware is a type of malware. Its purpose is to facilitate an illegal activity, such as theft of money or data. Crimeware is becoming increasingly common as hackers are now selling exploits on the dark web to less sophisticated cybercriminals. This “Cyber-Crime-as-a-Service” model removes the difficult task of building an exploit from the cybercrime equation. With a pre-built exploit, cybercriminals can focus on developing distribution campaigns to increase the number of victims and return on their investment. A common type of crimeware that impacts businesses and consumers on a wide scale is ransomware.

Ransomware has been in the headlines lately with the WannaCry outbreak that hit in May of 2017. Once installed, it locks computer files with sophisticated encryption that cannot easily be broken. WannaCry was especially dangerous as it also exploited a known vulnerability in Windows server to spread from one infected host to the entire network. Ransomware encrypts a victim’s electronic files, then the cybercriminal asks for ransom to be paid in exchange for unlocking the files. If the encrypted data is essential to the company’s operations, this can cripple the organization. Even more, without a professional cyber forensic investigation, it is difficult to know the scope of the compromise or the scale of access obtained by the attacker.

Why You Should Care: No organization is too small or insignificant to fall victim to crimeware or ransomware, especially because they can be distributed on a mass scale to maximize the number of possible victims. It’s like the common cold virus – it spreads through normal daily interaction, and if you are vulnerable, you can catch it. Unfortunately, completely eliminating vulnerabilities in technology is not yet possible, and stopping people from using email and the internet (attachments and links) is unrealistic. Keeping up to date with software patches and security updates, and regularly backing up data are some steps businesses can take to become more resilient. But taking it beyond – by training employees, and having an incident response team, execution plan, and external resources available to respond – should be a critical part of your holistic cybersecurity strategy.

Stay tuned for our next blog post, where you will learn about two additional common cyber threats you should have on your radar to help you continue along the path of improving enterprise risk resiliency. In the meantime, tapping into a trusted cyber news aggregator (such as the CyberWire) is a great way to scan headlines, monitor important topics, and stay updated on new and emerging issues.

Disclosure Information
Information contained herein is generic in nature and provided by sources believed to be reliable. It is for informational purposes only and is not guaranteed as to accuracy, may not reflect our current opinion, and is not intended to replace the advice of a qualified professional. All rights reserved. No reproduction in whole or in part is permitted without the express written consent of PSA. PSA Insurance & Financial Services, its affiliates and employees are not responsible for the content of other web or social networking sites. PSA Financial Advisors, Inc. is a Registered Investment Advisory firm located at 11311 McCormick Road, Hunt Valley, MD 21031, and may only transact business in those states in which they are registered or exempted from registration. Contact our office at 410 821-7766. To protect your privacy, do not send personal information via the internet.

]]>https://www.psafinancial.com/2017/07/snapshot-todays-prevalent-cyber-threats-non-technical-executive-part-1/feed/0https://www.psafinancial.com/2017/07/snapshot-todays-prevalent-cyber-threats-non-technical-executive-part-1/Compliance Updates (Benefit Minute)http://feedproxy.google.com/~r/PsaPerspective/~3/s2Zgq4ZQC7g/
https://www.psafinancial.com/2017/06/compliance-updates-benefit-minute-2/#respondThu, 29 Jun 2017 14:26:18 +0000https://www.psafinancial.com/?p=8896This issue provides a summary of recent regulatory, judicial and legislative activity. ACA Repeal and Replace On May 4, 2017, the House of Representatives passed the American Health Care Act (AHCA) by a small margin. The bill includes the following provisions: Retroactively reduce the individual and employer mandate penalties to zero; Repeal various fees and […]

On May 4, 2017, the House of Representatives passed the American Health Care Act (AHCA) by a small margin.

The bill includes the following provisions:

Retroactively reduce the individual and employer mandate penalties to zero;

Repeal various fees and taxes, including the health insurance tax, the medical device tax and the tax on net investment income;

Further delay the cadillac tax until 2026;

Increase HSA annual contribution limits;

Change the structure of premium tax credits; and

Curtail Medicaid expansion by 2020.

On June 22, 2017, the Senate released a draft of their version of a repeal and replace bill called the Better Care Reconciliation Act (BCRA). The key provisions of the bill largely mirror the House legislation; however, Medicaid expansion is phased out more slowly but ultimate cuts are deeper than under the AHCA. The BCRA also allows establishment of small business association plans.

BCRA has been written as a reconciliation bill so that only a simple majority is needed for passage. Senate leadership had initially promised a vote before Congress recessed for the July 4th holiday, but later delayed it to have time to make further changes and secure additional votes. If passed, the two chambers of Congress will then have to resolve differences between their bills.

HSA Limits for 2018

The limits for qualified high deductible health plans (QHDHPs) and health savings accounts (HSAs) for plan years beginning in 2018 are set forth below.

For health plans that are not QHDHPs, the out-of-pocket maximums for plan years beginning in 2018 are $7,350 (individual) and $14,700 (family – must include an embedded individual amount not to exceed $7,350).

ERISA has a specific exemption for employee benefit plans that are “established and maintained” by a church or by a convention or association of churches that is exempt from tax under section 501 of the Internal Revenue Code. This definition includes a plan maintained by an organization (such as an internal benefits committee) whose principal purpose is administering a benefit plan for employees of the church or the church-affiliated nonprofit organization, as long as the organization is controlled by or associated with a church. Several court cases have addressed whether benefit plans maintained by a church-affiliated hospital, university or service organization meet the church plan definition if such plans were not originally established by a church.

A recent Supreme Court case affirmed that employee benefit plans maintained by these church-affiliated organizations are exempt from ERISA. The Court reasoned that the category of plans “established and maintained” by a church includes plans maintained by a principal-purpose organization, so a plan maintained by a principal-purpose organization is an exempt church plan (whether or not established by a church). While the court cases in question related to retirement plans, the same analysis applies for welfare benefit plans. If the decision had gone the other way, plans of church-affiliated entities that have claimed the ERISA exemption would have had exposure for ERISA non-compliance.

Contraceptive Coverage Executive Order

President Trump recently issued the Promoting Free Speech and Religious Liberty Executive Order. Among other items, it directs the relevant government agencies to consider amending the ACA’s preventive services mandate to address conscience-based objections to the requirement that certain contraceptive coverage be provided by group health plans without cost-sharing.

Qualifying religious employers are exempt from this requirement. Nonprofit religious employers and closely-held for-profit employers with religious objections may follow an accommodation process to decouple the provision of the contraceptive coverage from the group health plan (while still making contraceptive coverage available to plan members directly through the insurer); however, the accommodation process itself is controversial. In response to the Executive Order, the agencies have reportedly drafted a regulation to expand the exemption from the requirement to provide free contraceptives. The regulation has not been released.

Wellness Program Payroll Tax Reduction Program

The IRS continues to disallow arrangements that purport to allow employees to receive tax-favored payments that avoid income and employment taxes. In one arrangement, employees pay a small after-tax premium to participate in specified no-cost wellness activities and receive tax-free cash payments for participation. All employees are expected to receive, and in practice do receive, payments in an amount in excess of the premium paid. Since the risk-shifting and risk distribution elements of insurance are not present in the arrangement and there is no reimbursement for medical care, the IRS concluded that payments in excess of the employee contributions must be included in income and are subject to income tax withholding and employment taxes.

Disclosure Information
Information contained herein is generic in nature and provided by sources believed to be reliable. It is for informational purposes only and is not guaranteed as to accuracy, may not reflect our current opinion, and is not intended to replace the advice of a qualified professional. All rights reserved. No reproduction in whole or in part is permitted without the express written consent of PSA. PSA Insurance & Financial Services, its affiliates and employees are not responsible for the content of other web or social networking sites. PSA Financial Advisors, Inc. is a Registered Investment Advisory firm located at 11311 McCormick Road, Hunt Valley, MD 21031, and may only transact business in those states in which they are registered or exempted from registration. Contact our office at 410 821-7766. To protect your privacy, do not send personal information via the internet.

]]>https://www.psafinancial.com/2017/06/compliance-updates-benefit-minute-2/feed/0https://www.psafinancial.com/2017/06/compliance-updates-benefit-minute-2/Wacky facts about insurancehttp://feedproxy.google.com/~r/PsaPerspective/~3/eukB6iQI0lc/
https://www.psafinancial.com/2017/06/wacky-facts-insurance/#respondWed, 28 Jun 2017 16:01:56 +0000https://www.psafinancial.com/?p=8871In the spirit of the national insurance awareness day, we compiled seven interesting and possibly useless facts for your enjoyment. We hope you find these as amusing as we did. As you can see, almost anything can be insured. So, don’t forget to review your various insurance policies to make sure they are still protecting you as […]

]]>In the spirit of the national insurance awareness day, we compiled seven interesting and possibly useless facts for your enjoyment. We hope you find these as amusing as we did.

As you can see, almost anything can be insured. So, don’t forget to review your various insurance policies to make sure they are still protecting you as your life may have recently changed. If you need any assistance, PSA is here to help.

]]>https://www.psafinancial.com/2017/06/wacky-facts-insurance/feed/0https://www.psafinancial.com/2017/06/wacky-facts-insurance/5 Ways Cyber Insurance Can Help Your Physician’s Practice Manage Cyber Riskhttp://feedproxy.google.com/~r/PsaPerspective/~3/Eim8mcbAXIo/
https://www.psafinancial.com/2017/06/5-ways-cyber-insurance-can-help-physicians-practice-manage-cyber-risk/#respondFri, 16 Jun 2017 16:23:27 +0000https://www.psafinancial.com/?p=8836Did you know? To date, in 2017 there have been 133 reported data breaches in the healthcare industry – on average 17,849 records breached per incident. The Ponemon Institute estimates the cost per lost or stolen healthcare record to be about $400. This does not include fines and penalties, which can further increase the cost. […]

There are 3 main reasons healthcare is one of the most targeted and vulnerable industries:

Healthcare data value

Patient records often contain a combination of personally identifiable information (PII) and Protected Health Information (PHI), a treasure trove for a cybercriminal, which have a high value on the dark web.

Quick access to information

Physicians have the difficult task of balancing the protection of and quick access to large amounts of PII and PHI. In case of emergencies, you need to be able to quickly look up your patients’ records and share information without having to pass through too many safety controls. This can leave you more susceptible to cyber incidents since the human element represents the primary cause of data breaches in the healthcare industry. While 32% of the incidents are caused by an external hacker or cybercriminal, employee mistakes, misuse and malicious acts account for the majority of incidents at 68%.

Regulatory fines and penalties

The regulatory and compliance requirements for physicians also carry substantial fines and penalties for non-compliance in a cyber incident.

Given the triple challenge discussed above, a data breach or cyber incident can happen at any time, even for practices with cutting-edge cybersecurity technology. But enough doom and gloom – what can you do to protect your healthcare operation?

Cyber insurance as a backstop

Cyber insurance should be an essential part of your cybersecurity strategy that aligns with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. It serves as an effective and relatively affordable backstop when all else fails. The right coverage is critical to improve your practice’s ability to absorb an incident and recover quickly. Here are the top 5 ways cyber insurance can help you manage your exposures by providing coverage for:

Regulatory Fines and Penalties

PHI is subject to the HIPAA Privacy and Security Rules. If your patients’ healthcare information is breached, you could be fined up to $50,000 per lost or stolen record, which is in addition to the estimated cost of $400 per record discussed above. Since not all cyber policies cover fines and penalties, it is important to work with an insurance professional.

Privacy Liability & Direct Expenses

As a result of a data breach involving your patients’ PHI or PII, you could be sued by your patients or other third parties. In addition, privacy laws and regulations will often require you to notify victims and offer services to detect or repair the possible damage to their identity. Fines, penalties, legal defense costs for your failure to protect data and the direct expenses to notify and assist data breach victims can quickly add up.

Cyber Forensics Expenses

Healthcare is one of the few industries relying mostly on electronic data to provide patient services. Aware of this, cybercriminals are increasingly targeting healthcare providers with ransomware attacks, which can easily be deployed via email with infected attachments or directing an unsuspecting healthcare provider to an infected website.

One of the ways you can mitigate your losses in case of an attack is by backing up your data. However, even if you can completely restore from a backup and don’t have to pay the ransom, you must still determine what damage the malware caused on your network and confirm that no data was accessed or exposed. This requires cyber forensics to assess the scope and impact of the incident.

Reputational Harm

Mishandling a data breach or a cyber incident could seriously impact your reputation and result in loss of existing and future patients. Responding quickly after a cyber event is not easy, especially in a time of crisis. Working with an experienced Public Relations and Crisis Management professional can minimize the damage and help protect your reputation. But this service can be quite expensive.

Incident Response

Cyber insurance also helps take the confusion out of the incident response process. A good policy will provide access to and cover costs to hire a data and privacy legal expert to help quarterback the cyber incident response process. This professional can help you navigate the legal, regulatory and compliance landscape and coordinate with cyber forensics, public relations as well as members of your internal incident response team. This important feature of cyber insurance gives you a person to call the moment you experience a cyber incident or data breach.

Interested in learning more about how cyber insurance can help your practice manage cyber risk? Or do you need assistance with designing a holistic cyber resiliency strategy? Feel free to contact me at mvolk@psafinancial.com.

Disclosure Information
Information contained herein is generic in nature and provided by sources believed to be reliable. It is for informational purposes only and is not guaranteed as to accuracy, may not reflect our current opinion, and is not intended to replace the advice of a qualified professional. All rights reserved. No reproduction in whole or in part is permitted without the express written consent of PSA. PSA Insurance & Financial Services, its affiliates and employees are not responsible for the content of other web or social networking sites. PSA Financial Advisors, Inc. is a Registered Investment Advisory firm located at 11311 McCormick Road, Hunt Valley, MD 21031, and may only transact business in those states in which they are registered or exempted from registration. Contact our office at 410 821-7766. To protect your privacy, do not send personal information via the internet.

]]>https://www.psafinancial.com/2017/06/5-ways-cyber-insurance-can-help-physicians-practice-manage-cyber-risk/feed/0https://www.psafinancial.com/2017/06/5-ways-cyber-insurance-can-help-physicians-practice-manage-cyber-risk/Ever been asked to provide a Certificate of Insurance?http://feedproxy.google.com/~r/PsaPerspective/~3/Vpv9QkKzXj4/
https://www.psafinancial.com/2017/06/ever-asked-provide-certificate-insurance/#commentsThu, 08 Jun 2017 17:34:21 +0000https://www.psafinancial.com/?p=8817A question I hear from clients often is “How do I get a Certificate of Insurance?” A request for a Certificate of Insurance (COI) may be the most frequent interaction you have with your property and casualty broker or your insurance carrier. If you’ve never had to obtain a COI before, here’s an overview of […]

]]>A question I hear from clients often is “How do I get a Certificate of Insurance?” A request for a Certificate of Insurance (COI) may be the most frequent interaction you have with your property and casualty broker or your insurance carrier.

If you’ve never had to obtain a COI before, here’s an overview of what a COI is and how to request one.

What is it?

A COI is used to provide proof to a third party that your company has insurance of a certain type — e.g., liability or property insurance — with certain limits in place. It also identifies the insurance company that underwrites the policy, and is signed by your authorized insurance representative.

Why would anyone request a COI from you? You may receive these requests from a third party with whom you are conducting business – your landlord, bank, auto or equipment leasing company, clients as a requirement of client contracts, or from a venue where you are exhibiting or holding an event. A COI indicates that you have the necessary financial resources to cover their potential losses in case you cause any harm or damage to them as a result of your negligence.

The certificate is issued to a Certificate Holder, who is the entity requesting that you provide proof of coverage. The requirements that underpin a COI can vary, but they often include some of the following elements:

That certain types of insurance coverage be in place and for certain limits

That the company providing the coverage has a sufficient A.M. Best rating

That the coverage be primary – insurance that covers up to the policy’s limit whether or not other policies cover the same risk

That specific language and information (such as being named as additional insured, having a waiver of subrogation in favor of the certificate holder, written notice of cancellation, deductibles not to exceed a certain value, and references to specific locations, events, or loan numbers) be included on or with the certificate of insurance as attached endorsement copies

How do I get one?

Ask your broker or account manager to issue the certificate. At PSA, we aim to issue the document within one business day or faster! To issue the certificate, we will need some information that is required to be included:

Formal name and address of the Certificate Holder (the requesting entity)

A copy of the insurance requirements section of the contract, lease, notice, or email received that requests the certificate

If a certain coverage is required that you currently don’t have, your broker can help you make the necessary adjustments. Alternatively, specific coverages, limits, and special requirements can often be negotiated out of a contract and an agreement reached to accept current coverages.

And that’s it! The certificate is transmitted to you and/or the Certificate Holder at your direction. Your broker keeps the Certificate Holder’s information and the required certificate information on file for the next policy renewal. When policies are renewed, new certificates are issued to Certificate Holders on file if evidence of coverage is still required.

Disclosure Information
Information contained herein is generic in nature and provided by sources believed to be reliable. It is for informational purposes only and is not guaranteed as to accuracy, may not reflect our current opinion, and is not intended to replace the advice of a qualified professional. All rights reserved. No reproduction in whole or in part is permitted without the express written consent of PSA. PSA Insurance & Financial Services, its affiliates and employees are not responsible for the content of other web or social networking sites. PSA Financial Advisors, Inc. is a Registered Investment Advisory firm located at 11311 McCormick Road, Hunt Valley, MD 21031, and may only transact business in those states in which they are registered or exempted from registration. Contact our office at 410 821-7766. To protect your privacy, do not send personal information via the internet.

]]>https://www.psafinancial.com/2017/06/ever-asked-provide-certificate-insurance/feed/1https://www.psafinancial.com/2017/06/ever-asked-provide-certificate-insurance/What is a Controlled Group?http://feedproxy.google.com/~r/PsaPerspective/~3/XqS97ShDK8c/
https://www.psafinancial.com/2017/05/what-is-a-controlled-group/#respondWed, 31 May 2017 16:47:33 +0000https://www.psafinancial.com/?p=8810When several entities (whether incorporated or unincorporated) share common ownership, a controlled group or common control may exist. For many IRS benefit plan purposes, a controlled group is treated as a single employer. For example, the determination of an employer’s size for purposes of COBRA, Medicare Secondary Payer rules and the ACA’s Applicable Large Employer […]

]]>When several entities (whether incorporated or unincorporated) share common ownership, a controlled group or common control may exist. For many IRS benefit plan purposes, a controlled group is treated as a single employer. For example, the determination of an employer’s size for purposes of COBRA, Medicare Secondary Payer rules and the ACA’s Applicable Large Employer status are determined on a controlled group basis. IRS non-discrimination testing is generally performed on a controlled group basis. This Benefit Minute provides a high level overview of controlled groups.

The controlled group rules can be found in sections 414(b) and 414(c) of the Internal Revenue Code. Section 414(b) applies to corporations while 414(c) applies to trades or businesses such as partnerships. The types of controlled groups are parent-subsidiary, brother-sister or a combination of both.

Parent-Subsidiary

A parent-subsidiary controlled group exists when one entity (the parent) has a controlling interest in one other entity (the subsidiary) or several other entities. For this purpose a controlling interest is defined as 80% or greater interest in stock, voting power, profits, interest or capital interest (depending on the type of entity). A parent-subsidiary controlled group can also consist of a chain of businesses connected by ownership. In this case, a subsidiary of one entity can also be the parent of another entity by virtue of at least 80% ownership.

Brother-Sister

A brother-sister controlled group exists when the same five or fewer individuals or entities satisfy the following ownership requirements:

Together own 80% or more of each entity (total ownership); and

Own more than 50% of each entity when taking into account only the smallest ownership percentage of each individual in any entity being considered (effective ownership).

This concept can best be illustrated by the following example which shows that Company B and Company C, but not Company A, are a brother-sister controlled group with total ownership of 95% in each entity and effective control of 55% (percentages shown in bold).

Company A

Company B

Company C

# 1

20%

40%

20%

# 2

5%

10%

40%

# 3

25%

45%

25%

Total

50%

95%

95%

Combination Group

A combination controlled group consists of three or more entities whereby each entity is a member of either a parent-subsidiary controlled group or a brother-sister controlled group and at least one entity is the common parent and also a member of a brother-sister group.

Ownership Attribution Rules

When determining ownership or interest percentages, family member constructive ownership rules apply. For example, in many cases, an individual is considered to own stock that is owned directly or indirectly by or for a spouse or a minor child. In addition, Section 1563(e) of the Internal Revenue Code has constructive ownership rules for stock options and for interests in partnerships, estates, trusts and corporations.

Not-for-Profit Entities

Similar controlled group rules also apply to not-for-profit entities based on board control. Common control exists between an exempt organization and another organization if at least 80% of the directors or trustees of one organization are:

On the board of the other organization;

Employed by the other organization; or

Can be removed and replaced as a board member or trustee by the other organization.

Affiliated Service Groups

Even without the requisite ownership percentage, entities may be treated as a controlled group under the affiliated service group rules. These rules can be found in section 414(m) of the Internal Revenue Code. Affiliated service groups are, in general, a group of businesses working together to provide services to each other or to common customers. They generally arise in the personal services industries, but can also arise when one entity performs management-type functions for one or more other entities.

For example, ABC Partnership is a law partnership with offices in numerous cities. EFG P.C. is a corporation that is a partner in the law firm. EFG P.C. provides paralegal and administrative services for the attorneys in the law firm. All of the employees of the corporation work directly for the corporation, and none of them work directly for any of the offices of the law firm.

Since the corporation is regularly associated with the law firm in performing services for third parties, together they constitute an affiliated service group, even absent the requisite ownership interest needed for a controlled group. The employees of both entities must be treated as if they were employed as a single employer for many benefit plan purposes.

This Is Complicated

Controlled group rules are complex and the analysis is detailed and cumbersome. It requires a complete understanding of all entities that may be related and all ownership interests of each entity. In some cases, entities that are related may not even be aware that each other exist. Entities that are uncertain whether the controlled group rules apply need to consult with an attorney or tax accountant who is familiar with the rules and can perform the analysis.

Disclosure Information
Information contained herein is generic in nature and provided by sources believed to be reliable. It is for informational purposes only and is not guaranteed as to accuracy, may not reflect our current opinion, and is not intended to replace the advice of a qualified professional. All rights reserved. No reproduction in whole or in part is permitted without the express written consent of PSA. PSA Insurance & Financial Services, its affiliates and employees are not responsible for the content of other web or social networking sites. PSA Financial Advisors, Inc. is a Registered Investment Advisory firm located at 11311 McCormick Road, Hunt Valley, MD 21031, and may only transact business in those states in which they are registered or exempted from registration. Contact our office at 410 821-7766. To protect your privacy, do not send personal information via the internet.